Regulatory: The CFPB’s UDAAP deceptive standard does not require knowledge or intent

This article is the third in a series of six articles concerning UDAAP. Read parts one and two.

As part of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Congress empowered the Consumer Financial Protection Bureau (CFPB) to prohibit consumer financial services companies from, among other things, engaging in deceptive acts or practices related to their consumer financial products and services. The CFPB takes this particular authority very seriously, as a number of major credit card companies learned last summer when they settled with the bureau and other regulators for a collective $500 million at the end of a long investigation involving alleged consumer deceptions by credit card call centers.

That sounds simply awful, doesn’t it? Call centers deceiving consumers—we do not want that in our consumer financial services marketplace. But do we really understand what that means? The case raises the question: What is deception?

For many of us, deception is a loaded word. In other words, when we hear the term in conversation, it invokes strongly negative reactions beyond the literal meaning of the word “deception” itself.

Deception, in most contexts, simply means "misleading." Someone is misled by something. But that raises a number of questions for us. We want to know—we often demand to know—who caused the deception? Who misled us?

Many of us assume that intent is always a part of deception or that a deceiver is purposeful. That is true for some forms of deception. Take common law fraud, for example. Fraud is defined as an intentional deception and specifically requires the accuser to prove intent as one of the elements of a fraud claim. A related concept is scienter—the legal term for knowledge or intent of wrongdoing, which is sometimes required for certain civil and common law deceptions.

For anyone operating in the consumer financial services space, however, it is important to understand that every deception does not require intent or scienter. In other words, deception does not necessarily rise to the level of fraud. Common, everyday mistakes and oversights can be a punishable deception in many cases, even if a company did not decide to deceive consumers.

Impossible, you say? Deception requires some sort of intent, right? Not an uncommon belief, but it is incorrect.

A case in point, and a very important one, is the kind of deception the Dodd-Frank Act prohibits. The deceptive standard contained in the unfair, deceptive or abusive acts or practices (UDAAP) provisions of that statute does not require that the deceiver intend to deceive consumers to receive punishment. Deceivers will be punished more for knowingly deceiving (which does not necessarily include an intent to deceive), but the punishment for the unintentional deception is severe, at up to $25,000 per day of the deception. The penalty rises to up to $1 million per day for knowing deceptions.

Are you still skeptical about the intent requirement of UDAAP’s deceptive standard? Take a look at the standard, as defined by the CFPB:

A representation, omission, act or practice is deceptive when:

1. The representation, omission, act or practice misleads or is likely to mislead the consumer

2. The consumer’s interpretation of the representation, omission, act or practice is reasonable under the circumstances

3. The misleading representation, omission, act or practice is material

Boiling the standard down, it provides that an act or practice violates UDAAP when a “deceiver’s” material communication either misleads or is merely likely to mislead a consumer acting reasonably under the circumstances. Notably, the definition does not mention or even hint at the deceiver’s intent, knowledge, comprehension, understanding, awareness, realization or anything of the kind. It is simply not required.

For those of us who engage in the non-consumer side of the consumer financial products and services industry—from credit cards to mortgages to school loans to prepaid cards and beyond—the lack of a knowledge or intent requirement presents significant compliance challenges. UDAAP’s deceptive standard essentially requires an institution to put itself into the position of a hypothetical consumer using the institution’s products and services in a manner that is reasonable. This is a tall order indeed.

Add to this tall order the subjectivity inherent in UDAAP’s unfairness standard (discussed in the last installment of this series) and the complete lack of any real guidance on UDAAP’s abusive standard (to be discussed in the next installment) and, at least for the unwatchful and the unwary, all the necessary components for a compliance failure are present. What can we do about it?

It is not at all hopeless, but companies must be diligent and vigilant. Even then, all that can be done is to lower the risk of a compliance failure. With UDAAP’s vagaries and the CFPB’s lack of meaningful guidance regarding its UDAAP agenda, complete confidence will elude the industry for the foreseeable future. We will, however, explore a number of self-help options and industry-wide solutions to this risk management dilemma at the back end of this series. Until then, hang tight!